United States Patent [19] [n] 

Coley et al. [45] 



US005826014A 

Patent Number: 
Date of Patent: 



5,826,014 
Oct. 20, 1998 



[54] FIREWALL SYSTEM FOR PROTECTING 
NETWORK ELEMENTS CONNECTED TO A 
PUBLIC NETWORK 

[75] Inventors: Christopher D. Coley, Morgan Hill; 

Ralph E. Wesinger, Jr., Livermore, 
both of Calif. 

[73] Assignee: Network Engineering Software, San 

Jose, Calif. 

[21] Appl. No.: 595,957 
[22] Filed: Feb. 6, 1996 

[51] Int. CI. 6 G06F 12/14 

[52] U.S. CI 395/187.01 

[58] Field of Search 395/187.01, 186, 

395/200.55, 200.59, 726, 188.01; 340/825.31, 
825.34; 380/3, 4, 48, 24; 364/222.5, 2864, 
286.5, 479.07 

[56] References Cited 

U.S. PATENT DOCUMENTS 



4,713,753 12/1987 Boebert et al 364/200 

4,727,243 2/1988 Savar 235/379 

4,799,153 1/1989 Harm et al 364/200 

4,799,156 1/1989 Shavit et al 364/401 

5,191,611 3/1993 Lang 380/25 

5,241,594 8/1993 Kung 380/4 

5,416,842 5/1995 Aziz 380/30 

5,483,661 1/1996 Yoshida et al 395/800 

5,491,752 2/1996 Kaufnam et al 380/30 

5,495,533 2/1996 Linehan et al 380/21 

5,548,721 8/1996 Denslow 395/187.01 

5,550,984 8/1996 Gelb 395/200.17 

5,577,209 11/1996 Boyle et al 395/200.06 

5,590,199 12/1996 Krajewski et al 380/25 

5,602,918 2/1997 Chen et al 380/21 

5,606,668 2/1997 Shwed 395/200,11 

5,623,601 4/1997 Vu 395/187.01 

5,632,011 5/1997 Landfield et al 395/326 

5,636,371 6/1997 Yu 395/500 




5,638,448 6/1997 Nguyen 380/29 

5,657,452 8/1997 Kralowetz et al 395/200.57 

5,668,876 9/1997 Falk et al 380/25 

5,687,235 11/1997 Periman et al 380/25 

OTHER PUBLICATIONS 

Goldberg, "The Mitre Security Perimeter", Computer Secu- 
rity Applications Conference, 1994, pp. 212-218. 
Bellovin et al., "Network Firewalls", IEEE Communications 
Magazine, Sep. 1994, pp. 50-57. 

Stempel, "IpAccess — An Internet Service Access System 
for Firewall Installations", 1995, Network and Distributed 
System Security, pp. 31-41. 

Aicklen et al., "Remote Control of Diverse Network Ele- 
ments Using SNMP", IEEE, 1995 pp. 673-677. 
Neuman, (1993) "Proxy Based Authorization And Account- 
ing For Distributed Systems." IEEE, pp. 283-291. 

Primary Examiner — Robert W. Beausoliel, Jr. 

Assistant Examiner — Stephen C. Elmore 

Attorney, Agent, or Firm — McDonnell Boehnen Hulbert & 

Berghoff 

[57] ABSTRACT 

Providing a firewall for isolating network elements from a 
publicly accessible network to which such network elements 
are attached. The firewall operates on a stand alone com- 
puter connected between the public network and the network 
elements to be protected such that all access to the protected 
network elements must go through the firewall. The firewall 
application running on the stand alone computer is prefer- 
ably the only application running on that machine. The 
application includes a variety of proxy agents that are 
specifically assigned to an incoming request in accordance 
with the service protocol (i.e., port number) indicated in the 
incoming access request. An assigned proxy agent verifies 
the authority of an incoming request to access a network 
element indicated in the request. Once verified, the proxy 
agent completes the connection to the protected network 
element on behalf of the source of the incoming request. 

36 Claims, 5 Drawing Sheets 
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FIREWALL SYSTEM FOR PROTECTING facilities of an Internet Service Provider (ISP). The assignee 

NETWORK ELEMENTS CONNECTED TO A of the present application, Scientific Research Management 

PUBLIC NETWORK Corporation (SRMC), is an Internet Service Provider 

Use of a company's computing system for support of a 

BACKGROUND 5 pix biicly accessible system, such as a Web site, can present 

The present invention relates to a system for protecting a threat to the company's internal systems that share the 

network elements connected to a public network from access same computing platform, or are connected to the publicly 

over the pub he network, and more specifically, to a firewall accessible computing platform. Furthermore, in cases where 

system for protecting network elements connected to the sensitive information is transmitted over the Internet to a 

Internet. 30 company, such information is usually stored on the same 

The Internet has experienced, and will continue to computing system that is used for running the on-line 
experience, explosive growth. As originally designed, the Internet system. For instance, some businesses now publish 
Internet was to provide a means for communicating infor- homepage catalogs offering services and products for sale. A 
mation between public institutions, particularly universities, user can select products or services from a homepage 
in a semi-secure manner to facilitate the transfer of research 15 catal °g in an interactive session. After selecting the desired 
information. However, with the development and provision products or services, the homepage may present a payment 
of user friendly tools for accessing the Internet, such as the screen inviting the user enter credit card information. Han- 
World Wide Web (the Web), the public at large is increas- &m of such information over a public network such as the 
ingly turning to the Internet as a source of information and Internet, requires some measure of security to prevent the 
as a means for communicating. 20 information from being intercepted. However, a more 

Tbe Internet's success is based, in part, on its support of important consideration is maintaining the security of such 
a wide variety of protocols that allows different computers ^formation once it is received and stored m a computing 
and computing systems to communicate with each other. All s y stem that 15 connected to the Internet, 
of the Internet-compatible protocols, however, find some Most computer crime is not in the form of data 
basis in the two original Internet protocols: TCP interception, but involves a network intruder, or "hacker" 
(Transmission Control Protocol) and IP (Internet Protocol). entering a publicly-accessible computing system and sub- 
Internet protocols operate by breaking up a data stream into verting security systems to access stored information. In the 
data packets. Each of data packet includes a data portion and recent past there have been several publicized cases where 
address information. The IP is responsible for transmitting hackers have stolen proprietary information from purport- 
the data packets from the sender to the receiver over a most edly secure computers over the Internet, 
efficient route. The TCP is responsible for flow management In many cases where a publicly accessible application, 
and for ensuring that packet information is correct. None of such as a homepage, is set up on a business or institution's 
the protocols currently supported on the Internet, however, premises, it is grafted onto an existing computing system, 
provides a great degree of security. This factor has hindered 35 The existing system also may contain other computing 
the growth of commercial services on the Internet. resources such as data bases, and/or internal network sys- 

The government, in learning of the Internet's limited terns that are not intended for public access. Provision of a 

transmission security capacity, has resorted to encoding publicly accessible on-line system, such as a Web server, on 

secure messages using complex encryption schemes. The such a system can provide a scenario that can be exploited 

government abandoned consideration of the Internet for high 40 by hackers who may attempt to reach systems beyond the 

security information, relying instead on privately operated Web server using it, or other systems bundled on the 

government networks. The general public, without such computing platform, as access paths. A company or institu- 

concerns, has come to increasingly use the Internet. tion may attempt to protect these surrounding systems by 

Furthermore, businesses having recognized the increasing password protecting them, or by concealing them from the 

public use of, and access to the Internet, have turned to it as A5 public with a system called a firewall, 

a marketing mechanism through which to disseminate infor- Password protected systems are well known. However, a 

mation about their products, services and policies. password prompt announces the presence of proprietary 

A popular way for commercial institutions to supply systems and may be an invitation for a hacker to investigate 

information over the Internet is to establish a homepage on further. Because password systems are widely known, they 

an Internet multi-media service known as the World Wide 50 are somewhat susceptible to hackers who have developed 

Web. The World Wide Web ("Web") provides a user- techniques for cracking, bypassing or subverting them, 

accessible platform that supplies information in text, audio, Using conventional desktop computers, hackers have been 

graphic, and video formats. Each homepage document can known to decipher passwords of reasonable lengths in a very 

contain embedded references to various media. A Web user short period of time. Provision of longer passwords may 

can interactively browse information by responding to entry 55 thwart a hacker's attempts, but at the expense of user 

prompts nested in a screen within a homepage. Web docu- convenience. 

ments are accessed by using a TCP/I P com patible protocol The term "firewall" was coined in the computer network 
called HyperText Transfer Protocol (HTTP). A user logged environment to describe a system for isolating an internal 
onto the Internet can access a "Web site" by supplying the network, and/or computers, from access through a public 
Web site's address (e.g., "http://srmc.com"). Entry of such 60 network to which the internal network or computers are 
an address establishes a session between the user and the attached. The purpose of a firewall is to allow network 
Web site. elements to be attached to, and thereby access, a public 
Provision of a Web homepage involves establishing a user network without rendering the network elements susceptible 
accessible file at a Web site. The Web site can be established to access from the public network. A successful firewall 
on a computing system on the premises of the business or 65 allows for the network elements to communicate and trans- 
institution providing the homepage, or by contracting to act with the public network elements without rendering the 
have the homepage built and supported on the computing network elements susceptible to attack or unauthorized 
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inquiry over the public network. As used herein, the term industry suggested, a packet containing a port designation of 

"network element" can refer to network routers, computers, 23 need not necessarily be associated with Telnet services, 

servers, databases, hosts, modems, or like devices that are When the OS or monitoring application receives a request 

typically associated with a computer network. °o a particular port, a connection is opened on that port, A 

One technique used by firewalls to protect network ele- * Program for managing the connection is then initiated, and 

. V " UA1 * * . f . the firewall starts a gateway application, or proxy, that 

ments is known as packet filtering. A packet filter inves- ^ connectk f n ' st However? such a system is 

tigates address information contained m a data packet to y^wribk and inefficient because of the resource intensive 

determine whether the packet machine, from which the natUfe of the processes invo ived. 

packet originated is on a list of disallowed addresses. If the ^ beeQ knQWn lo inundale a ^ { 

address is on the list, the packet is not allowed to pass. io rf ^ {n ^ {q 

One problem with packet filtering is that when unknown s]ip a packet by an application gateway or proxy. This 

address information is encountered in the filtering check mc thod of attack is known as a "denial of service attack." 

(i.e., the packet's address is not on the list), the packet is ^ typical response to such an attack is to have the OS shut 

usually allowed to pass. This practice of allowing unknown down thc targeted port for a period of time. This defense 

packets to pass is based on an Internet design philosophy response is necessitated by the inefficiency of conventional 

that promotes the ease of information transfer. Hence, most port process ing. The chain of processes associated with 

firewall systems utilizing packet filtering operate on an monitoring, managing, and verifying port connections is 

"allow to pass unless specifically restricted" basis. This very inefficient. A denial of service attack can unduly burden 

practice is invoked with the perception that the packet will system resources. Consequently, the conventional defense is 

eventually be recognized and appropriately routed down to have the os snut down the port for a period of time j^is 

stream of the packet filter. However this practice provides security technique prevents entry into a system through that 

hackers with a means with which to bypass a packet filter. porl and res tores the availability of system resources. 

Hackers have developed a technique known as "source However, it also prevents a user behind the firewall from 

based routing," "packet spoofing," or "IP spoofing" wherein 25 accessing the port that has been shut down. Hence, this 

address information within a fabricated packet is manipu- security measure is unacceptable. 

lated to bypass a packet filter. All network elements that are Another problematic aspect of conventional firewall 

addressable over the Internet have an address consisting of arrangements, from a security perspective, is the universal 

four octets separated by periods. Each of the octets is an practice of combining a firewall with other packages on a 

eight bit sequence representing a decimal number between 3Q same computing system. This arises in two situations. The 

zero and 255. A host computer on the Internet might have an first ^ wncre me firewall package, in and of itself, is a 

IP address: 19.137.96.1. Source based routing involves a combination of applications. For example, Trusted informa- 

hacker inserting an address of a machine that resides ^ on Systems's recently released Gauntlet application is a 

"behind" a firewall into the source address field of a ficti- combination Web server and firewall. The second situation 

tious packet. Such a packet can usually pass through a 35 is the aforementioned practice of hosting publicly accessible 

firewall because most firewalls are transparent to messages and/or unrelated services on a same computing platform that 

that originate from behind the firewall, because the firewall supports the firewall. The services sharing the platform with 

assumes that such messages are inherently valid. To prevent me fi re wall may include E-mail, Web servers, or even the 

this type of packet spoofing, the packet filter's list of system that the firewall is set up to protect (e.g., a database), 

disallowed addresses includes the addresses of elements 4Q situation was discussed briefly above with respect to 

residing behind the firewall. many companies* practice of grafting a firewall application 

Another packet spoofing technique involves setting the onto their existing computer systems. 

"session__active" bit of a packet. By setting this bit in a jhe provision of applications on top of, or in addition to, 

packet, a packet filter receiving the packet assumes that a the firewall on a computing system provides a path through 

valid session has already been established, and that further 45 which a hacker can get behind the firewall. This is done by 

packet filtering checks are not necessary, thereby allowing using the unrelated applications to attack the firewall, or to 

the packet to pass. A spoofed packet having its session_ directly connect with network elements being protected by 

active bit set can contain an "establish connection" message. the firewall. The firewall may fail to recognize the attack 

Such a packet can be used to establish a session with a because the application being exploited by the hacker is 

machine behind the firewall. 50 authorized to communicate through the firewall. In addition, 

Additional packet filtering techniques involve investiga- the firewall might not be able to protect against unexpected 

tions of data portions of packet to determine whether there flank attacks from shared applications because it is set up 

are any suspect contents, and or investigations of suspect specifically to monitor requests from a designated publicly 

protocol designations. However, the drawback of these and accessible application. Alternatively, the shared application 

the aforementioned packet filtering schemes is that, when 55 may be used to completely bypass the firewall and attack, or 

used in combination, they are cumbersome. This practice directly connect to, a protected network element, 

impairs the speed with which packet filters do their job. An example of a conventional firewall arrangement is 

Conventional firewalls also may use an application depicted in FIG. 1. A host computer 100 communicates with 

gateway, or proxy system. These systems operate on the a institutional computer system 106 over a public network 

basis of an application, or a computing platform's operating 60 102 through a router 104. A router is a network element that 

system (OS), monitoring "ports" receiving incoming con- directs a packet in accordance with address information 

nection requests. A port is a numerically designated element contained in the packet. The institutional computer system 

contained in the overhead of a packet. A port number 106 supports a variety of applications including a Web 

indicates the nature of a service associated with a packet. For server 108, and an E-mail system 114. A firewall system 110 

example, a packet associated with the Telnet service has a 65 also is hosted on the institutional computer 106 to protect a 

port number of 23, and the HTTP service is assigned port port 112 that connects an internal network 116 to the 

number 80. These port number designations are merely institutional computer system 106. The internal network 116 
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may support communication between internal terminals) other than those related to support of the firewall application 

118 and a database 120, possibly containing sensitive infor- (e.g., an operating system), are to be maintained on the 

mation. Such a firewall system 110, however, is subject to dedicated firewall box. 

attack in many ways. The firewall application running on the firewall box is 

A hacker operating the host computer 100 can utilize 5 comprised of a plurality of proxy agents. In a preferred 
publicly accessible applications on the institutional com- embodiment, individual proxy agents are assigned to des- 
puter system 106, such as the Web server 108 or the E-mail ignated ports to monitor, respond to and verify incoming 
system 114, to flank attack the firewall system 110 or access requests (i.e., incoming packets) received on the port, 
connect to the internal network port 112, The Web server Port management by the OS or port management programs 
108 or the E-mail system 114 may have authority to attach 10 is limited to simply assigning an appropriate proxy agent to 
to and communicate through the firewall system 110. The an incoming access request on a port. The assigned proxy 
hacker might be able to exploit this by routing packets agent immediately verifies the access request before a con- 
through, or mimicking these network elements, in order to nection is formed. Using simple verification checks, the 
attach to, attack, or completely bypass the firewall system proxy agent determines the authority of the access request, 
110. 15 quickly and efficiently discarding unauthorized requests 

Most conventional firewalls are transparent to packets without unduly burdening system resources. If the access 

originating from behind the firewall. Hence, the hacker may request is authorized, the assigned proxy agent opens, and 

insert a source address of a valid network element residing thereafter manages, the port connection. In this way, the 

behind the firewall 110, such as the terminal 118, to a proxy agent is able to repel denial of service attacks without 

fictitious packet. Such a packet is usually able to pass 20 resorting to shutting down the port, 

through the firewall system 110. Alternatively, the hacker In a preferred embodiment, a proxy agent is assigned to 

can set the session__active bit in the fictitious packet to pass a request based on the service associated with an access 

through the firewall 110. The packet can be configured to request (e.g., the Telnet port number is indicated). Each 

contain a message requesting the establishment of a session proxy agent is thus protocol sensitive to the particular 

with the terminal 118. The terminal 118 typically performs 25 service requirements of an incoming request and can 

no checking, and assumes that such a session request is respond with appropriately formated messages. However, if 

legitimate. The terminal 118 acknowledges the request and the protocol of an access request is not configured in 

sends a confirmation message back through the firewall accordance with the protocol normally associated with that 

system 110. The ensuing session may appear to be valid to port, the request is discarded. If proper, the proxy agent can 

the firewall system 110. 30 then initiate a set of verification checks to ensure the 

The hacker can also attempt to attach to the port 112. A authority and authenticity of the access request, 

conventional application gateway system forms a connec- Verification tests performed by a proxy agent can involve 

tion to the port before the firewall 110 is invoked to verify any variety of checks, including, but not limited to: deter- 

the authority of the request. If enough connection requests 3S minations of valid destination addresses; determination of 

hit the port 112, it may be locked out for a period of time, valid user, or user/password information; validity of an 

denying service to both incoming request from the public access in view of the time period of the access; presence of 

network, and more importantly, denying access to the inter- executable commands within an access request; or any 

nal network 116 for outgoing messages. It is readily apparent combination of the latter, or like determinations. Such tests 

that conventional firewall systems, such as the one depicted 4Q are not performed in conventional firewall systems, 

in FIG. 1, are unacceptably vulnerable in many ways. Upon confirming the validity of an incoming access 

It is readily apparent that the design and implementation request, a proxy agent initiates the connection to a network 

of conventional firewalls has rendered them highly vulner- element indicated in the access request, or in response to a 

able to hacker attack. What is needed is a true firewall prompt issued to a user, on behalf of the incoming access 

system that overcomes the foregoing disadvantages and is 45 request. This has the effect of shielding the identity of 

resistant to hacker attack. network elements on each side of the firewall from a hacker 

who taps a connection on either side of the firewall. The 

SUMMARY firewall also can be used in combination with a packet 

The present invention overcomes the foregoing disadvan- filtering scheme to protect against IP spoofing and source 

tages by providing a firewall system that is resistant to 50 based routing, 
conventional modes of attack. A firewall in accordance with 

the present invention is a stand-alone system that physically BRIEF DESCRIPTION OF THE DRAWINGS 

resides between a point of public access and a network The foregoing, and other objects, features and advantages 

element to be protected. A firewall arrangement in accor- of ^ present invention will be more readily understood 

dance with the invention operates on a computing platform 55 rcading the following detailed description in conjunc- 

that is dedicated to the operation of the firewall. Such a tion with the diawings ^ whicn: 

dedicated firewall computing platform is referred to herein ^ T _ „ , . 4 . . . . 

as a "firewall box." The firewall box is connected to a f de ff a T**" T arrangement ^ a 

protected network element by a single connection. convenUonal firewall arrangement; 

Consequently, any communication from a publicly acces- 6 o FIG - 2 de P icts m exemplary computer network arrange- 

sibie network element to a protected network element must ment including a firewall arrangement incorporating the 

pass through the firewall box. A network element, or present invention; 

elements, to be protected by the firewall are connected to the FIG. 3 depicts another exemplary computer network 

backside of the firewall. arrangement including a firewall arrangement incorporating 

In a preferred embodiment the firewall box is a stand 65 the present invention; and 

alone computing platform dedicated to supporting a firewall FIGS. 4A and 4B depict a flow diagram depicting an 

application. No other applications, services or processes, exemplary process incorporating the present invention. 
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DETAILED DESCRIPTION 

FIG. 2 depicts a block diagram of an exemplary system 
incorporating the invention. Network elements in the form 
of a terminal 216 and a secure database 218 are connected 
to an internal network 214 that is protected behind a firewall 
210. The connection 212 between the internal network 214 
and the firewall 210 is preferably the only connection 
between these two elements. A publicly accessible comput- 
ing system is connected to a public network 202 through a 
router 204. A connection 208 between the firewall 210 and 
the publicly accessible computing system 206 is preferably 
the sole connection between the firewall 210 and the pub- 
licly accessible system 206. By providing the firewall 210 in 
this stand alone configuration, any and all access from the 
public network 202 to the internal network 214 must go 
through the firewall 210. Hence, a user operating a host 
machine 200 who attempts to access the internal network 
214 via the public network 202 must go through the firewall 
210. This arrangement is more robust than conventional 
firewall systems that are susceptible to being bypassed either 
physically or through applications sharing the firewall com- 
puting platform. 

In preferred embodiments of the invention, the firewall 
210 runs on a dedicated firewall box. That is, the computer 
upon which the firewall 210 is running, is dedicated to the 
firewall application. The processes, programs and applica- 
tions running on the firewall computing platform are those 
involved with firewall processes, or their support (i.e., the 
computer's operating system). Consequently, there is 
reduced risk of the firewall being bypassed through appli- 
cations sharing the firewall's computing platform. The addi- 
tion of other, unrelated, applications to the firewall box 
merely compromises the integrity of the firewall. 

The firewall 210 application is comprised of a variety of 
access request validation programs referred to herein as 
"proxy agents." Proxy agents investigate incoming requests 
that seek to access network elements residing behind the 
firewall 210. The nature of incoming access requests can 
vary according to a particular port, or service (e.g., HTTP, 
Telnet, File Transfer Protocol (FTP)) that the incoming 
request seeks to attach to. Accordingly, the firewall 210 
application assesses the characteristics of an incoming 
request and assigns an appropriate proxy agent tailored to 
the particular protocol and verification requirements of that 
incoming access request. In a preferred embodiment, there is 
a designated proxy agent for each port. The proxy agent 
assigned to a port performs all of the verification processes 
and management of the port without involving the operating 
system, or a port manager (as in conventional systems). 
Because it is dedicated to a particular port, a proxy agent is 
capable of providing a more efficient handling of an incom- 
ing request from both a protocol and a verification stand- 
point. The proxy agent makes an immediate verification 
check of an access request before initiating a port connec- 
tion. If the access is deemed suspect, it is immediately 
discarded The use of proxy agents is more efficient than 
conventional chained processes involving OS based verifi- 
cation routines and port management programs that are 
generic to incoming access requests. By immediately check- 
ing for and discarding suspect packets, the proxy agent is 
capable of resisting denial of service attacks without having 
to shut down the port. 

In accordance with another aspect of exemplary embodi- 
ments of the invention, a proxy agent can include a tailored 
set of verification tests. The rigorousness of the tests can be 
dictated by the characteristics of the access request. For 
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instance, the source address of an access request can be 
investigated to determine whether the request is suspect or 
credible. An inherently reliable request may require only a 
minimum of verification before being connected. While a 

5 suspect request may require enhanced verification. Access 
request verification can include analysis of: source host 
machine and source user information; destination host 
machine and destination user information; and/or time of 
day analysis. These or other tests can be interactive in nature 

10 and prompt a source user to enter user/password informa- 
tion. In some cases a user may be required to enter a valid 
destination machine address or ID. In accordance with 
exemplary embodiments of the invention any combination 
of the foregoing, or other, tests can be performed by a given 

15 proxy agent depending on the verification requirements of a 
particular incoming access request. 

A more detailed depiction of an exemplary system in 
accordance with the present invention is shown in FIG. 3. 
The figure illustrates a network scenario involving commu- 

20 nication over a public network 306, such as the Internet. An 
institutional service provider 310 is attached to the public 
network 306 through a router 308. The institutional service 
provider 310 has a publicly accessible network 312. A user 
300 operating a host computer 302 can access the publicly 

25 accessible network 312 through the public network 306 (via 
routers 304 and 308, respectively). 

The institutional service provider 310 may be an ISP that 
develops software on internal computers 324 and 326 for 
distribution and sale. Free software can be supplied to users 

30 who access a public Web server 314 on the internal, publicly 
accessible, network. The institutional user 330 also may 
provide information about its products or services by estab- 
lishing a home page on the publicly accessible Web server 
314. The publicly accessible network 312 also may have a 

35 public E-mail system 316. Authorized subscribers may be 
permitted to access proprietary software offered on a pro- 
tected Web server 322 by accessing the institution's internal 
network 328. The internal network 328 also can have a 
secure E-mail system 320 for internal communication. The 

40 internal network 328 is protected from public access by a 
firewall 318 incorporating the present invention. 

The firewall 318 permits the internal network 328 to be 
attached to the public network 306 (through the publicly 

45 accessible network 312) without rendering the secure net- 
work 328 open to public access. The firewall 318, in 
accordance with preferred embodiments of the invention, 
physically separates the publicly accessible network 312 
from the internal network 328. Consequently, all communi- 

50 cations attempting to access the internal network 328, or any 
network elements attached thereto, must pass through the 
firewall 318. To secure it from direct (i.e., keyboard) access, 
the firewall 318 is preferably maintained in a secure location 
on the premises of the institution 310. 

55 The firewall 318 can run on a general purpose computer. 
Such a computer, in 'accordance with preferred 
embodiments, is a stand alone machine, or firewall box, 
dedicated to the firewall application. The addition of other 
programs to the firewall box merely undermines the strength 

60 of the firewall 318. Such additional programs can be used to 
bypass, or attach to and attack the firewall 318. 

The firewall application comprises a plurality of proxy 
agents that are assigned to investigate and handle an incom- 
ing access requests. A proxy agent is preferably assigned in 

65 accordance with a port number designation indicated in a 
request. The assigned proxy agent processes the access 
request, forms the connection, if verified, and manages the 
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completed connection. A designer can dictate what set of 
verification tests are to be run on a particular incoming 
request. For instance, an assigned proxy agent can first 
check to ensure that the protocol of the access request 
matches that of the indicated port. If there is a discrepancy, 
the request is denied. A next check can involve investigation 
of a source address (i.e., the host machine from which the 
access inquiry originated) of the access request. This permits 
the proxy agent to make an initial assessment of the authen- 
ticity of the request. If a particular source has a higher 
probability of generating suspect packets (e.g., an unknown 
university computer) a proxy agent can optionally invoke a 
more rigorous series of verification tests. However, if the 
source is inherently secure (e.g., a firewall protected 
machine at a company's headquarters communicating with 
their R&D site) the proxy agent might proceed directly to 
connecting the incoming request with a destination host 
machine. Once the source is determined, the proxy agent can 
run an appropriate combination of verification checks suited 
to the integrity of the request as indicated by its source. In 
the event that a legitimate user is accessing a protected 
network element using suspect computer (e.g., a visiting 
professor logging on to a university's host computer rather 
than his or her office computer) it may be advantageous to 
allow such a user through, but only after a more rigorous set 
of interactive verification tests. However, the packet source 
address need not necessarily dictate the particular combina- 
tion of verification tests performed by the proxy agent. A 
proxy agent can have a fixed set of verification tests based 
on the port designation. The particular selection of verifi- 
cation checks is discretionary. Several such checks are 
described below. 

Source address verification can be based on a check of the 
validity of on or more specific addresses, or, on a range of 
address values (e.g., the first octet has a value of between 
zero and 100). Such a check involves a determination of 
whether a host source address of an incoming packet com- 
ports with a list of authorized or unauthorized addresses, or 
is within a designated range. If the source address is not on 
the list, the packet is discarded. Referring back to FIG. 3, in 
the event that the external user 300 attempts to contact a 
network element behind the firewall 318, the proxy agent 
can check the source address of the host computer 302. If the 
proxy agent determines that the host computer 302 does not 
have an authorized address, the request originating from the 
host computer 302 is discarded. 

A second check can be used to determine the authority of 
an access request based on the identity of a user seeking to 
gain access. This may involve interactively prompting the 
user 300 to enter either a user name, or a user/password 
combination. Because the proxy agent is protocol sensitive, 
it is designed to issue prompts in accordance with the format 
indicated by the port number of the incoming access request. 
A particular user may have limited access, in which case the 
user may be prompted to enter the address of the destination 
machine to be accessed. If the proxy agent determines that 
the user is not authorized to access the requested destination 
machine, the user can be re-prompted to enter another 
destination machine, or the request can be discarded alto- 
gether. 

A third check can be performed to determine whether the 
time period during which an access request is being made is 
authorized in and of itself, or for a particular user, source 
address, or destination address indicated in the request. For 
example, the check can permit access to a certain class of 
network elements during certain periods (e.g., between 7:00 
am and 5:00 p.m. U.S. pacific standard time). The time 
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period check can include any combination of time of day, 
day of week, week of month, month of year, and/or year. 

A fourth check can be invoked to determine whether the 
destination address indicated by an access request is autho- 

5 rized. This check can be performed by examining packet 
destination address information, or possibly by prompting a 
user to enter the information. For example, in File Transfer 
Protocol (FTP) requests, the user may be required to enter 
the destination address (e.g., "username@host") in response 

io to a prompt generated by the assigned proxy agent. 

A proxy agent can also run tests that intercept and discard 
any messages that attempt to initiate a process on the firewall 
318 itself. For example, a conventional system having 
bundled applications may include an application such as 

15 SendMail. SendMail, in addition to providing mail delivery, 
also contains features for collecting and tracking source and 
destination information of mail messages. The information 
derived by a hacker through execution of such SendMail 
commands can be used to gain access to secure network 

20 elements. Hence, a proxy agent in accordance with the 
invention can include, within its set of tests, a check for 
ferreting out and discarding packets having nested execut- 
able commands. A firewall incorporating the invention can, 
however, facilitate the communication of normal electronic 

25 messages. Hence, valid mail can be passed through the 
firewall 318 to an internal E-mail system 320 if otherwise 
authorized. 

The checks described do not represent an exhaustive list 
of available verification checks. They merely represent a 

30 variety of access validation checks and are described to 
assist in describing exemplary embodiments of the inven- 
tion. The particular combination of tests is discretionary. 
Other checks can be added as deemed fit or necessary for a 
particular scenario. 

After a proxy agent successfully completes its set of one 
or more verification tests, the proxy agent initiates a con- 
nection request to the destination machine (and port) on 
behalf of the incoming access request. The purpose of this 

4Q practice is to maintain anonymity on each side of the 
firewall. A party tapping either of the connections entering 
or exiting the firewall only "sees" the elements on each side 
of the tap, but not those beyond the tap. 

In accordance with another aspect of exemplary embodi- 

45 ments of the invention, security is supplemented by per- 
forming packet filtering on incoming access request packets. 
Such packet filtering can be provided either by the operating 
system of the firewall box, or by a router, such as router 308. 
In accordance with preferred embodiments, the packet fil- 

50 tering is directed to eliminating source based routing. 
Therefore, the packet filter maintains a list of addresses 
corresponding to network elements residing behind the 
firewall 318. If any incoming access request has a source 
address of a network element behind the firewall 318, that 

55 packet will be intercepted and discarded. 

FIGS. 4A and 4B depict a flow diagram of an exemplary 
process for analyzing an access request received at the 
firewall 318 of FIG, 3. The process described is merely 
exemplary, and any combination of checks or steps may be 

60 performed in accordance with a selected combination of 
checks. Furthermore, the order of step execution can be 
altered as needed for a particular scenario. 

Consider the situation where the user 300 in FIG. 3 is 
authorized to access the Web server 322 that resides behind 

65 the firewall 318. To access the Web server 322, the user 300, 
operating the host computer 302, first logs onto to a public 
network (step 400), that is compatible with TCP/IP proto- 
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cols. To access the Web server of the institution 310, the user denied (step 434). An additional proxy agent check can 

300 enters an appropriate address (step 402), such as determine whether the particular network element to which 

"http:Wwebwho.com". The access request is received by a the user 300 is attempting to gain access to is available to the 

router 304 which forwards the message to the Internet 306. particular user (step 436). If not authorized, the access 

The Internet may forward the message through a series of 5 request is denied (step 438). 

routers and present it to a router 308 that services the [f after the proxy agent has completed its set of tests it is 

institution 310. determined that the access request is authorized, the proxy 

Because the access request seeks to access a destination agent initiates a connection to the Web server 322 on behalf 

address residing behind the firewall 318, the access request of the source machine 300 (step 440). Because the firewall 

message is presented to the firewall 318 (step 404). In 10 forms a connection (using a proxy agent) following the 

accordance with an exemplary embodiment, a proxy agent completion of validation checks associated with the proxy 

running on the firewall 318 is assigned to the access request agent's test set, the firewall functions as a Bastion host, or 

in accordance with a preliminary analysis of the port number firewall server, on behalf of the access request source. By 

designation within the packet representing the access request using the firewall as a Bastion host, or firewall server, to act 

(step 406). In this case, port number 80 (HTTP) would 35 on behalf of the user accessing the secure network 328, the 

ordinarily be designated in the request. The assessment also identity of internal network elements is not revealed because 

can involve a determination of whether the service indicated the firewall 318, acting as an intermediary, shields the 

by the port number comports with the contents of the request identity of the network elements for whom it is acting on 

(step 408). That is, does the request indicate one service behalf of. All the external user sees, in terms of addresses, 

(port number) while being formatted for another. If there is 20 is the firewall. If an internal connection is tapped onto, a 

disparity, the access is denied (step 410). valid source address or user identity is not available to the 

The proxy agent can then analyze a source address to hacker as the firewall 318 appears to be the source of the 

determine whether the host computer 302 from which the connection. Hence, a firewall arrangement in accordance 

message originated is authorized to access the secure Web with the invention provides two-way transparency, 

server 322 (step 412). As described above, this check can be 2 $ Another aspect of an exemplary embodiment of the 

used to optionally invoke a more rigorous set of verification invention involves sending an "out-of-band" system mes- 

checks if the source is unknown or suspect. This assessment sage in response to a useraame or username/password 

can involve a comparison of the source address with a list of combination provided by a user. Such a system involves 

authorized or unauthorized addresses maintained by the communicating a password, or password portion, back to a 

proxy agent (step 414). In the exemplary case here, if the 30 user on a communication medium other than the computer 

source address is not authorized (i.e., the source address is network being used. The user enters the information 

not on the list), the access request is denied (step 416). The received by out-of-band means to complete a logon process, 

extent to which a proxy agent verifies the validity of an For example, a user can be prompted to enter their usemame 

access request can vary. It should be noted that in some and the first half of a password. The system receiving this 

cases, a proxy agent may need do little more than verify 35 information, upon verifying it, sends back the remaining half 

address information before initiating a connection to the of the password to the user by automatically generating a 

destination device on behalf of the source host. phone call to a beeper provided to the user. The beeper's 

Alternatively, if a source address is suspect, or a proxy display indicates the remaining password portion which is 

agent's set of checks is fixed, the proxy agent can perform then entered by the user to complete the logon. The identity 

additional checking. 40 of the user is thereby authenticated. A hacker does not 

In the present exemplary scenario the access request possess the means to receive the out-of-band response (i.e., 

message is further analyzed to determine whether the access the beeper). The password, or password portion sent back to 

request is being received during an authorized time period, the user by out-of-band means can be a random number 

such as a time of day (step 418). If the time of day during generated by the firewall system. 

which the access request is received is not authorized, the 45 Another aspect of exemplary firewall systems operating in 
connection request is denied (step 420). The time of day accordance with the invention is that all processes, including 
assessment can be tailored for specified users, source host proxy agents, running on the firewall, operate in a "daemon 
machines, and/or IP addresses. For example, to prevent mode." When a computer operating system receives a 
evening hacking by users in Canada, North, and South request to perform a task it will open up a job and designate 
America, such users may be denied access other than during 50 a corresponding job number in order to provide and manage 
normal U.S. business hours. A user in India, however, resources associated with that job. When the task is corn- 
operating during Indian daylight hours, may be allowed to pie ted the operating system designates the job for closure, 
access the system during U.S. evening hours. However, the actual closure of the job and removal of the 
A proxy agent also can assess whether user or user/ corresponding job number does not always take place imme- 
password information is necessary to gain access (step 422). 55 diately because it is considered to be a low priority task. This 
If not, the proxy agent can initiate the connection (step 424). occasionally leaves an idle job open on the system awaiting 
If the information is required, the proxy agent prompts the closure. Hackers have learned that they can exploit such an 
user with an appropriately formatted message to enter a idle job, reactivate its status, and access resources available 
useraame and/or password information (step 426). The user to the job. By operating in a daemon mode, the operating 
name and/or password information is checked (step 428). If 60 system of the firewall box immediately shuts down jobs 
an unauthorized user name is entered, or the password is following the completion of designated tasks, 
invalid, the access request is denied (step 430). If a valid When a computer upon which the firewall is running is 
user name, or user/password combination is entered, the operating in a UNIX environment, there are UNIX-specific 
proxy agent can make further assessments, if deemed nec- security measures that can be invoked. One such security 
essary or appropriate, to determine whether the host machine 65 measure is the "changeroot" feature. A "root" user is a user 
302 is authorized to access the particular destination (e.g. having high levels of access to files branching from a "root 
Web server 322) (step 432). If not authorized, the access is directory." If a hacker can access a root directory, the hacker 
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may be able to access the files hierarchically emanating from 
the root directory. In accordance with another aspect of a 
secure database system incorporating the present invention, 
all jobs running on the firewall system and on the secure 
database system are preceded by a "changeroor" command 
to change the identity of the root directory. A new root 
directory is created by execution of this command that can 
be used for transaction-specific purposes. This new directory 
does not have access to any of the original file directories 
branching from the original root directory. Consequently, if 
a hacker is able to access information associated with a job, 
corresponding root directory data will be useless. 

Another aspect of a system in accordance with the inven- 
tion is the use of aliases by the firewall when addressing 
machines residing behind the firewall. A machine behind the 
firewall can be addressed by the firewall according to an 
alias of its actual IP address. Hence, if a hacker is somehow 
able to tap the firewall, any addresses detected by the hacker 
corresponding to machines attached to the backside of the 
firewall will be fictitious. 

An additional security feature that can be provided in the 
firewall system is a transaction log. Such a log gathers 
information associated with any access request message 
seeking to connect to or inquire about network elements 
residing behind the firewall. Information gathered in such a 
transaction log may include, but is not limited to, the source 
address (what is the identity of the machine from which the 
request originated), the IP address (which Internet port 
system did the request originate over), the destination 
address (who is the request trying to reach), time of access, 
and/or the identity of user (who is using the source 
machine). This information can facilitate the identity of a 
hacker if the hacker's activities require legal attention. 

The exemplary scenarios described above are directed 
primarily to situations where outside users are attempting to 
access network elements residing behind a firewall. It should 
be noted, however, that a firewall in accordance with the 
present invention also can be utilized to monitor and control 
packet traffic originating from behind a firewall, allowing 
and disallowing connection based upon predetermined rules. 
Hence, a firewall incorporating the invention also can be 
used to control what, where, who, how and when a user 
behind the firewall can access the outside world. This can be 
done in addition to monitoring and controlling incoming 
traffic. 

Because exemplary embodiments involve the operation of 
computing systems, an exemplary embodiment of the inven- 
tion can take the form of a medium for controlling such 
computing systems. Hence, the invention can be embodied 
in the form of an article of manufacture as a machine 
readable medium such as floppy disk, computer tape, hard 
drive disk, CD ROM, RAM, or any other suitable memory 
medium. Embodied as such, the memory medium contains 
computer readable program code which causes a computing 
system upon which the firewall system is running to function 
or cany out processes in accordance with the present inven- 
tion. 

An exemplary application of the invention has been 
described protecting an internal network. However, one 
skilled in the art will readily appreciate and recognize that 
the firewall system or method of operation in accordance 
with the invention can be applied in any scenario requiring 
the protection of network elements that are attached to a 
publicly accessible medium, such as the Internet. The inven- 
tion provides the benefit of attaching a system to a public 
network with reduced apprehension of that system being 
compromised over the public network. 
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The invention has been described with reference to par- 
ticular embodiments. However, it will be readily apparent to 
those skilled in the art that it is possible to embody the 
invention in specific forms other than those of the embodi- 
ments described above. Embodiment of the invention in 
ways not specifically described may be done without depart- 
ing from the spirit of the invention. Therefore, the preferred 
embodiments described herein are merely illustrative and 
should not be considered restrictive in any way. The scope 
of the invention is given by the appended claims, rather than 
by the preceding description, and all variations and equiva- 
lents which fall within the range of the claims are intended 
to be embraced therein. 

What is claimed is: 

1. A firewall system for protecting a network element 
from access over a network to which the network element is 
attached, the firewall system comprising: 

a firewall box comprising a stand alone computing plat- 
form; 

a first connection connecting the firewall box to the 
network element; and 

at least one proxy agent running on the firewall box for 
verifying that an access request packet received over 
the first connection is authorized to access the network 
element, the at least one proxy agent initiating a con- 
nection to the network element on behalf of the access 
request if the access request is authorized, wherein the 
at least one proxy agent verifies that a time period 
during which an incoming access request is received is 
valid. 

2. A firewall system for protecting a network element 
from access over a network to which the network element is 
attached, the firewall system comprising: 

a firewall box comprising a stand alone computing plat- 
form; 

a first connection connecting the firewall box to the 
network element; and 

at least one proxy agent running on the firewall box for 
verifying that an access request packet received over 
the first connection is authorized to access the network 
element, the at least one proxy agent initiating a con- 
nection to the network element on behalf of the access 
request if the access request is authorized; 

wherein the at least one proxy agent performs a Change - 
root command prior to processing an incoming access 
request. 

3. A firewall system for protecting a network element 
from access over a network to which the network element is 
attached, the firewall system comprising: 

a firewall box comprising a stand alone computing plat- 
form; 

a first connection connecting the network to the firewall 
box; 

a second connection connecting the firewall box to the 
network element; and 

at least one proxy agent running on the firewall box for 
verifying that an access request packet received over 
the first connection is authorized to access the network 
element, the at least one proxy agent initiating a con- 
nection to the network element on behalf of the access 
request if the access request is authorized, wherein the 
at least one proxy agent prompts the user to enter a user 
name and a password and verifies that a user associated 
with an incoming access request is authorized to access 
the network element, and upon receiving and verifying 
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the user name and password, communicates a second 
password to the user using a communication channel 
other than the computer network being used to initiate 
the connection, which second password is to be entered 
by the user to advance a logon process. 5 

4. A firewall method for protecting a network element 
from unauthorized access over a network to which the 
network element is attached, the method comprising the 
steps of: 

receiving an incoming access request; 30 

assigning a proxy agent to the incoming access request in 
accordance with a port number indicated in the incom- 
ing access request; 

verifying the authority of the incoming access request to ^ 
access the protected network element; 

forming a connection to the network element via the 
proxy agent on behalf of the incoming access request, 
if the authority of the incoming access request is 
verified 20 

wherein the step of verifying the authority of the incom- 
ing access request includes: 

determining the identity of a source of the incoming 

access request; 
initiating a first set of verification checks in response to 25 

a first identified source; and 
initiating a second set of verification checks in response 

to a second identified source. 

5. A firewall method for protecting a network element 
from unauthorized access over a network to which the 30 
network element is attached, the method comprising the 
steps of: 

receiving an incoming access request; 

assigning a proxy agent to the incoming access request in 
accordance with at least a port number indicated in the 35 
incoming access request; 

verifying the authority of the incoming access request to 
access the protected network element; and thereafter 

forming a connection to the network element via the 
proxy agent on behalf of the incoming access request if 40 
the authority of the incoming access request is verified; 

wherein the step of verifying the authority of the incom- 
ing access request includes: 

verifying that a user associated with the incoming ^ 
access request is authorized to access the network 
element; 

checking the accuracy of a first password associated 

with the incoming access request; and, 
communicating a second password to the user using a sq 

communication channel other than the network 

connection, which second password is to be entered 

by the user to advance a logon process, 

6. A firewall method for protecting a network element 
from unauthorized access over a network to which the ^ 
network element is attached, the method comprising the 
steps of: 

receiving an incoming access request; 

assigning a proxy agent to the incoming access request in 

accordance with a port number indicated in the incom- 60 

ing access request; 
verifying the authority of the incoming access request to 

access the protected network element; 
verifying that a time period during which an incoming 

access request is received is valid; and 65 
forming a connection to the network element via the 

proxy agent on behalf of the incoming access request if 
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the authority and time period of the incoming access 
request is verified. 

7. The firewall system as in claim 1, 2, 3, wherein the 
firewall box is dedicated to a firewall application. 

8. The firewall system as in claim 1, 2, or 3, wherein the 
firewall box is a general purpose computer. 

9. The firewall system as in claims 1, 2, or 3, wherein the 
firewall box executes a plurality of proxy agents, each of the 
plurality of proxy agents configured to verify the incoming 
access request in accordance with a port number indicated in 
an incoming access request. 

10. The firewall system as in claims 1, 2, or 3, wherein the 
at least one proxy agent verifies that a source address 
associated with an incoming access request is authorized to 
access the network element. 

11. The firewall system as in claims 1, 2, or 3, wherein the 
at least one proxy agent verifies that an incoming access 
request contains no executable commands directed to the 
firewall box. 

12. The firewall system as in claims 1, 2, or 3, wherein the 
at least one proxy agent verifies that a destination associated 
with an incoming access request is valid. 

13. The firewall system as in claims 1, 2, or 3, wherein the 
at least one proxy agent verifies that a destination indicated 
in an incoming access request is valid for a user associated 
with the incoming access request. 

14. The firewall system as in claims 1, 2, or 3, wherein the 
at least one proxy agent addresses the network element 
according to an alias. 

15. The firewall system as in claims 1, 2, or 3, wherein the 
at least one proxy agent manages the connection the network 
element. 

16. The firewall system as in claims 1, 2, or 3, wherein the 
at least one proxy agent operates in a daemon mode. 

17. The firewall system as in claims 1, 2, or 3, wherein an 
operating system of the firewall box performs packet filter- 
ing. 

18. The firewall system as in claims 1, 2, or 3, further 
comprising: 

A router attached between the firewall box and the public 
network, which router performs packet filtering. 

19. The firewall system as in claims 1, 2, or 3 further 
comprising: 

a transaction log for recording information regarding an 
access request. 

20. The firewall system as in claims 1 or 2, wherein the 
at least one proxy agent prompts the user to enter a user 
name and verifies the user name entered. 

21. The firewall system as in claim 3, wherein the second 
password is a random number. 

22. The firewall system as in claim 3, wherein the 
communication channel is a beeper. 

23. The firewall method as in claims 4, 5 or 6, wherein an 
assigned proxy agent is selected from a plurality of proxy 
agents, each of the plurality of proxy agents configured to 
verify the incoming access request in accordance with a port 
number indicated in an incoming access request. 

24. The firewall method as in claims 4, 5 or 6, wherein the 
step of verifying the authority of the incoming access 
request includes: 

using the at least one proxy agent to verify that a source 
address associated with an incoming access request is 
authorized to access the network element. 

25. The firewall method as in claims 4, 5 or 6, wherein the 
method further comprises the steps of: 

using the at least one proxy agent to prompt the user to 
enter a user name; and 
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verifying the authority of the user name entered. 30. The firewall method as in claims 4, 5 or 6, wherein the 

26. The firewall method as in claims 4, 5 or 6, wherein the step of forming a connection to the network element on 
method further comprises the steps of: behalf of the incoming access request includes: 

using the at least one proxy agent to prompt the user to £^ 

enter a user name and a password; and 5 at ]cast one pfoxy agcnt operatcs in a daemon modc 

verifying the authority of the user name and password 32. The firewall method as in claims 4, 5 or 6, wherein the 

entered. method further includes the step of: 

27. The firewall method as in claims 4, 5 or 6, wherein the having the at least one proxy perform a Change root 
step of verifying the authority of the incoming access command prior to processing an incoming access 
request includes: request. 

verifying that an incoming access request contains no 33 - The firewall method as in claims 4, 5 or 6, wherein the 

executable commands. mcthod further includes the step of 

28. The firewall method as in claims 4, 5 or 6, wherein the performing packet filtering on the incoming access 
step of verifying the authority of the incoming access 1C ^^Sy^l' „ . , , . A „ , „ , 
request includes' 34 * The firewal1 method as in claims 4, 5 or 6, further 

, . . comprising the step of: 

verifying that a destination associated with an incoming maintaining a transaction log for recording information 

access request is valid. regarding an access request. 

29. The firewall method as in claims 4, 5 or 6, wherein the 35 ^ firewaU method as in claim 5 wherein the 
step of verifying the authority of the incoming access 20 password ^ a ran d 0 m number. 

request includes: 36 xhe firewall method as in claim 5, wherein the 

verifying that a destination indicated in an incoming communication channel includes a beeper, 
access request is valid for a user associated with the 

incoming access request. ***** 
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